The branch, master has been updated via 6c4000d add missing release notes for security releases 4.18.5, 4.17.10 and 4.16.11 from 40ef1bb NEWS[4.18.1]: Samba 4.18.5, 4.17.10 and 4.16.11 Security Releases are available for Download
https://git.samba.org/?p=samba-web.git;a=shortlog;h=master - Log ----------------------------------------------------------------- commit 6c4000de33aa2be2795bd5192b80598453a2dd6a Author: Jule Anger <jan...@samba.org> Date: Wed Jul 19 16:38:23 2023 +0200 add missing release notes for security releases 4.18.5, 4.17.10 and 4.16.11 Signed-off-by: Jule Anger <jan...@samba.org> ----------------------------------------------------------------------- Summary of changes: history/samba-4.16.11.html | 70 ++++++++++++++++++++++++++++++++++++++++++++ history/samba-4.17.10.html | 73 ++++++++++++++++++++++++++++++++++++++++++++++ history/samba-4.18.5.html | 73 ++++++++++++++++++++++++++++++++++++++++++++++ 3 files changed, 216 insertions(+) create mode 100644 history/samba-4.16.11.html create mode 100644 history/samba-4.17.10.html create mode 100644 history/samba-4.18.5.html Changeset truncated at 500 lines: diff --git a/history/samba-4.16.11.html b/history/samba-4.16.11.html new file mode 100644 index 0000000..8b7a49f --- /dev/null +++ b/history/samba-4.16.11.html @@ -0,0 +1,70 @@ +<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" + "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> +<html xmlns="http://www.w3.org/1999/xhtml"> +<head> +<title>Samba 4.16.11 - Release Notes</title> +</head> +<body> +<H2>Samba 4.16.11 Available for Download</H2> +<p> +<a href="https://download.samba.org/pub/samba/stable/samba-4.16.11.tar.gz">Samba 4.16.11 (gzipped)</a><br> +<a href="https://download.samba.org/pub/samba/stable/samba-4.16.11.tar.asc">Signature</a> +</p> +<p> +<a href="https://download.samba.org/pub/samba/patches/samba-4.16.10-4.16.11.diffs.gz">Patch (gzipped) against Samba 4.16.10</a><br> +<a href="https://download.samba.org/pub/samba/patches/samba-4.16.10-4.16.11.diffs.asc">Signature</a> +</p> +<p> +<pre> + =============================== + Release Notes for Samba 4.16.11 + July 19, 2023 + =============================== + + +This is a security release in order to address the following defects: + +o CVE-2022-2127: When winbind is used for NTLM authentication, a maliciously + crafted request can trigger an out-of-bounds read in winbind + and possibly crash it. + https://www.samba.org/samba/security/CVE-2022-2127.html + +o CVE-2023-34966: An infinite loop bug in Samba's mdssvc RPC service for + Spotlight can be triggered by an unauthenticated attacker by + issuing a malformed RPC request. + https://www.samba.org/samba/security/CVE-2023-34966.html + +o CVE-2023-34967: Missing type validation in Samba's mdssvc RPC service for + Spotlight can be used by an unauthenticated attacker to + trigger a process crash in a shared RPC mdssvc worker process. + https://www.samba.org/samba/security/CVE-2023-34967.html + +o CVE-2023-34968: As part of the Spotlight protocol Samba discloses the server- + side absolute path of shares and files and directories in + search results. + https://www.samba.org/samba/security/CVE-2023-34968.html + + +Changes since 4.16.10 +--------------------- + +o Ralph Boehme <s...@samba.org> + * BUG 15072: CVE-2022-2127. + * BUG 15340: CVE-2023-34966. + * BUG 15341: CVE-2023-34967. + * BUG 15388: CVE-2023-34968. + +o Samuel Cabrero <scabr...@samba.org> + * BUG 15072: CVE-2022-2127. + +o Volker Lendecke <v...@samba.org> + * BUG 15072: CVE-2022-2127. + +o Stefan Metzmacher <me...@samba.org> + * BUG 15418: Secure channel faulty since Windows 10/11 update 07/2023. + + +</pre> +</p> +</body> +</html> diff --git a/history/samba-4.17.10.html b/history/samba-4.17.10.html new file mode 100644 index 0000000..f345ce6 --- /dev/null +++ b/history/samba-4.17.10.html @@ -0,0 +1,73 @@ +<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" + "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> +<html xmlns="http://www.w3.org/1999/xhtml"> +<head> +<title>Samba 4.17.10 - Release Notes</title> +</head> +<body> +<H2>Samba 4.17.10 Available for Download</H2> +<p> +<a href="https://download.samba.org/pub/samba/stable/samba-4.17.10.tar.gz">Samba 4.17.10 (gzipped)</a><br> +<a href="https://download.samba.org/pub/samba/stable/samba-4.17.10.tar.asc">Signature</a> +</p> +<p> +<a href="https://download.samba.org/pub/samba/patches/samba-4.17.9-4.17.10.diffs.gz">Patch (gzipped) against Samba 4.17.9</a><br> +<a href="https://download.samba.org/pub/samba/patches/samba-4.17.9-4.17.10.diffs.asc">Signature</a> +</p> +<p> +<pre> + =============================== + Release Notes for Samba 4.17.10 + July 19, 2023 + =============================== + + +This is a security release in order to address the following defects: + +o CVE-2022-2127: When winbind is used for NTLM authentication, a maliciously + crafted request can trigger an out-of-bounds read in winbind + and possibly crash it. + https://www.samba.org/samba/security/CVE-2022-2127.html + +o CVE-2023-3347: SMB2 packet signing is not enforced if an admin configured + "server signing = required" or for SMB2 connections to Domain + Controllers where SMB2 packet signing is mandatory. + https://www.samba.org/samba/security/CVE-2023-3347.html + +o CVE-2023-34966: An infinite loop bug in Samba's mdssvc RPC service for + Spotlight can be triggered by an unauthenticated attacker by + issuing a malformed RPC request. + https://www.samba.org/samba/security/CVE-2023-34966.html + +o CVE-2023-34967: Missing type validation in Samba's mdssvc RPC service for + Spotlight can be used by an unauthenticated attacker to + trigger a process crash in a shared RPC mdssvc worker process. + https://www.samba.org/samba/security/CVE-2023-34967.html + +o CVE-2023-34968: As part of the Spotlight protocol Samba discloses the server- + side absolute path of shares and files and directories in + search results. + https://www.samba.org/samba/security/CVE-2023-34968.html + + +Changes since 4.17.9 +-------------------- + +o Ralph Boehme <s...@samba.org> + * BUG 15072: CVE-2022-2127. + * BUG 15340: CVE-2023-34966. + * BUG 15341: CVE-2023-34967. + * BUG 15388: CVE-2023-34968. + * BUG 15397: CVE-2023-3347. + +o Volker Lendecke <v...@samba.org> + * BUG 15072: CVE-2022-2127. + +o Stefan Metzmacher <me...@samba.org> + * BUG 15418: Secure channel faulty since Windows 10/11 update 07/2023. + + +</pre> +</p> +</body> +</html> diff --git a/history/samba-4.18.5.html b/history/samba-4.18.5.html new file mode 100644 index 0000000..42756fc --- /dev/null +++ b/history/samba-4.18.5.html @@ -0,0 +1,73 @@ +<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" + "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> +<html xmlns="http://www.w3.org/1999/xhtml"> +<head> +<title>Samba 4.18.5 - Release Notes</title> +</head> +<body> +<H2>Samba 4.18.5 Available for Download</H2> +<p> +<a href="https://download.samba.org/pub/samba/stable/samba-4.18.5.tar.gz">Samba 4.18.5 (gzipped)</a><br> +<a href="https://download.samba.org/pub/samba/stable/samba-4.18.5.tar.asc">Signature</a> +</p> +<p> +<a href="https://download.samba.org/pub/samba/patches/samba-4.18.4-4.18.5.diffs.gz">Patch (gzipped) against Samba 4.18.4</a><br> +<a href="https://download.samba.org/pub/samba/patches/samba-4.18.4-4.18.5.diffs.asc">Signature</a> +</p> +<p> +<pre> + ============================== + Release Notes for Samba 4.18.5 + July 19, 2023 + ============================== + + +This is a security release in order to address the following defects: + +o CVE-2022-2127: When winbind is used for NTLM authentication, a maliciously + crafted request can trigger an out-of-bounds read in winbind + and possibly crash it. + https://www.samba.org/samba/security/CVE-2022-2127.html + +o CVE-2023-3347: SMB2 packet signing is not enforced if an admin configured + "server signing = required" or for SMB2 connections to Domain + Controllers where SMB2 packet signing is mandatory. + https://www.samba.org/samba/security/CVE-2023-3347.html + +o CVE-2023-34966: An infinite loop bug in Samba's mdssvc RPC service for + Spotlight can be triggered by an unauthenticated attacker by + issuing a malformed RPC request. + https://www.samba.org/samba/security/CVE-2023-34966.html + +o CVE-2023-34967: Missing type validation in Samba's mdssvc RPC service for + Spotlight can be used by an unauthenticated attacker to + trigger a process crash in a shared RPC mdssvc worker process. + https://www.samba.org/samba/security/CVE-2023-34967.html + +o CVE-2023-34968: As part of the Spotlight protocol Samba discloses the server- + side absolute path of shares and files and directories in + search results. + https://www.samba.org/samba/security/CVE-2023-34968.html + + +Changes since 4.18.4 +-------------------- + +o Ralph Boehme <s...@samba.org> + * BUG 15072: CVE-2022-2127. + * BUG 15340: CVE-2023-34966. + * BUG 15341: CVE-2023-34967. + * BUG 15388: CVE-2023-34968. + * BUG 15397: CVE-2023-3347. + +o Volker Lendecke <v...@samba.org> + * BUG 15072: CVE-2022-2127. + +o Stefan Metzmacher <me...@samba.org> + * BUG 15418: Secure channel faulty since Windows 10/11 update 07/2023. + + +</pre> +</p> +</body> +</html> -- Samba Website Repository